Critical Cisco ISE vulnerabilities let authenticated remote attackers execute code

Cisco has disclosed two vulnerabilities in Identity Services Engine, or ISE, and ISE Passive Identity Connector, or ISE-PIC, that can let an authenticated remote attacker execute code or read sensitive files on affected systems. The more serious flaw, CVE-2026-20147, carries a CVSS score of 9.9 and can lead to remote code execution with valid administrative credentials.

According to Cisco’s April 15 advisory, both flaws require valid admin access, but they do not depend on each other. A system vulnerable to one issue may not be vulnerable to the other, and an attacker does not need to chain them together to exploit them.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The remote code execution bug stems from insufficient validation of user-supplied input. Cisco says an attacker could send a crafted HTTP request to gain user-level access to the underlying operating system and then escalate privileges to root. In single-node deployments, successful exploitation can also make the affected ISE node unavailable and cause a denial-of-service condition for endpoints that still need authentication.

The second flaw can expose sensitive files

The second issue, CVE-2026-20148, is a path traversal vulnerability with a CVSS score of 4.9. Cisco says an authenticated remote attacker with valid administrative credentials could abuse it with a crafted HTTP request to access and read arbitrary sensitive files from the underlying operating system.

Cisco says there are no workarounds for either vulnerability. The company is urging administrators to move to fixed releases instead of relying on temporary mitigations.

At the time of publication, Cisco PSIRT said it was not aware of public announcements or malicious in-the-wild exploitation tied to these vulnerabilities. The bugs were reported to Cisco by Jonathan Lein of TrendAI Research.

Affected releases and patch guidance

The patch path depends on the release in use. Cisco says organizations on releases older than 3.1 should migrate to a supported fixed release, while supported branches need specific patch levels released in April 2026.

Cisco also notes that ISE-PIC has reached end-of-sale status, and release 3.4 is the last supported release for that product line. Separately, Cisco’s end-of-life notice page lists an end-of-sale and end-of-life announcement for Cisco ISE-PIC dated May 6, 2025.

For security teams, the main takeaway is simple. These are authenticated bugs, not unauthenticated internet-wide worms, but ISE often sits in a critical identity and policy enforcement role inside enterprise networks. That makes fast patching important, especially in environments that rely on single-node deployments or use ISE as a central control point for endpoint access. This last point is an inference based on ISE’s role and Cisco’s warning about single-node disruption.

What admins should do now

• Check which ISE or ISE-PIC release your environment runs.
• Apply the first fixed release Cisco lists for that branch.
• Prioritize single-node deployments because Cisco says exploitation of CVE-2026-20147 can make a node unavailable.
• Review and limit administrative access because both bugs require valid admin credentials.
• Plan migrations now if you still run unsupported releases older than 3.1.

FAQ